# letmeind daemon configuration.

[GENERAL]
# This config section holds general options.

# Enable debugging.
# This will print verbose syslog messages while modifying the firewall.
#
# Possible values: true, false
debug = true

# The control port that letmeind will listen on.
# This is the public internet facing port of the daemon.
#
# Possible values: Any valid port; TCP, UDP or both.
# If TCP and UDP flags are not specified, this defaults to TCP.
port = 5800
#port = 5800 / udp
#port = 5800 / tcp, udp

# Timeout (in seconds) for receiving and sending messages on the control port.
# If the timeout is exceeded, the TCP connection will be aborted.
#
# Possible values: A positive number of seconds.
control-timeout = 5.0

# Control port error policy.
#
# If the policy is set to 'always', then error messages will always
# be transmitted to the connected client.
# If the policy is set to 'basic-auth', then error messages are suppressed
# unless the connected client has passed basic authentication.
# If the policy is set to 'full-auth', then error messages are suppressed
# unless the connected client has passed full authentication.
#
# Possible values: always, basic-auth, full-auth
# The recommended value is: basic-auth
# The default value is: always
control-error-policy = always

# Turn the Linux seccomp feature on.
#
# Possible values: off, log, kill
#
# off: Seccomp turned off.
# log: Seccomp turned off, but access of prohibited syscalls will be logged to syslog.
# kill: Seccomp turned on. Letmeind will be killed if prohibited syscalls are called.
seccomp = off



[NFTABLES]
# This config section holds the nftables firewall configuration.

# nftables chain that letmeinfwd will modity.
family = inet
table = filter
chain-input = LETMEIN-INPUT

# Timeout of installed knock-open rules.
# Knocked-open ports will be closed again this many seconds after the knocking.
timeout = 600



[KEYS]
# This config section holds the table of users with their corresponding keys.
#
# Use command to generate new keys:
#  letmein gen-key

# User 00000001:
#00000001 = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# User 00000002:
#00000002 = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF



[RESOURCES]
# This config section holds the table of knock-able ports.

# Resource ID '1A' maps to TCP port 2000:
#0000001A = port: 2000

# Resource ID '1B' maps to TCP port 3500:
#0000001B = port: 3500

# A resource can be restricted to one or more users.
# Restricted to users 1 and 2:
#0000001C = port: 4500 / users: 00000001, 00000002
# Restricted to user 1:
#0000001D = port: 5500 / users: 00000001

# Open port 6500 for TCP and UDP.
#0000001E = port: 6500 / tcp,udp
